Digital Identity Blog

Identity Fraud: Keeping Digital ID Cards and Citizens Safe

Identity Fraud: Keeping Digital ID Cards and Citizens Safe

Posted November 21, 2017

A potential security flaw in the digital identification cards issued to citizens in Estonia as part of a massive digital transformation effort has put that country’s reputation, as well as the identity of its citizens, in jeopardy — and could lead to massive identity fraud.

In recent weeks, this small Baltic nation announced that it has invalidated the digital security certificates used in all of the digital identification cards it has created since 2014 over fears that cybercriminals could uncover secret RSA encryption keys from the keys generated by the cards to commit identity fraud.

According to Reuters, the move affected approximately 760,000 individuals, including many outside of Estonia.

An e-State of Mind

Estonia began requiring mandatory digital identification cards for its citizens in 2002. Currently, 98 percent of Estonians (out of a total 1.1 million citizens) have a registered digital ID card. The cards, which are created from personally identifiable information provided by applicants, are used as a national health insurance card, to check medical records, submit tax claims, and for electronic voting.

The program was expanded to people outside of Estonia who do business there, creating a group of Estonia netizens. This E-Residency program provides a government-issued digital ID available to anyone in the world. More than 27,000 people from 143 countries have already applied, and 4,272 businesses have been created by these e-residents.

That’s a lot of private information potentially available to cybercriminals.

Private to Public

The problem stems from a security vulnerability that was discovered in the RSA library, which could be exploited by attackers seeking to discover the private key corresponding to a public key generated by this library. If successful, the private key could be used to impersonate its legitimate owner, decrypt sensitive messages, forge signatures (e.g. for software releases) and more.

In late August, researchers informed the Estonia government of this vulnerability, which could result in the use of a digital identity for personal identification and digital signing without having the physical card and relevant PIN codes.

However, a notice from the Estonia government in October stated that it would take extensive computing power to fully exploit the vulnerability, adding that there haven’t been any known cases where an attempt has been successful.

Unfortunately, a research team has reported that it found a way to leverage the vulnerability faster and easier than first imagined.

The Storm Before the Storm

While there hasn’t been a successful attempt yet, that doesn’t mean one won’t be coming.

Cybercrime has grown ever-more sophisticated, and has morphed into a full-blown criminal industry, with the technology at fraudsters’ fingertips to infiltrate just about any security defense used by businesses today.

The more than 1.9 billion personal identity records exposed just this year via data breaches, including 143 million in a recent breach at a major U.S. credit bureau, are a testament to that fact.

And, as they have repeatedly demonstrated, cybercriminals can and will exploit any opportunity that comes their way.

An Anonymous Solution

The fact is, methods of identification that include static data and some sort of physical token, such as an ID card, have been rendered outdated and ineffective in a post-breach world.

Today, advanced digital identity solutions are built on dynamic data that unites online and offline attributes in real time and cannot be faked or stolen. As such, they are custom-fit for today’s digital environment.

The data elements that comprise a digital identity are anonymized using tokenization. This process replaces sensitive data with non-sensitive equivalents that cannot be converted to personally identifiable information (PII), and thus have no exploitable meaning or value.

As more businesses and governments adopt the use of digital identity, the only thing being put in jeopardy is the success of cybercriminals.

Andreas Baumhof

Chief Technology Officer, ThreatMetrix

Andreas Baumhof is an internationally renowned cybersecurity expert and entrepreneur. As the technology lead for ThreatMetrix, Baumhof delivers the data science innovations behind the company’s pioneering anonymized global shared intelligence model. He is responsible for threat intelligence and malware research, as well as delivering innovations, such as clear-box machine learning, which keep ThreatMetrix solutions on the cutting edge. Baumhof was Co-Founder and CEO of TrustDefender before its acquisition by ThreatMetrix in 2012. He was also Co-founder and Chief Technology Officer of Microdasys Inc. where he developed the first SSL proxy and has patents in Europe and the U.S.